As company conduct during covid-19 comes under scrutiny, Gordon Wade, data protection officer (DPO) and regulatory legal counsel at Hostelworld Group, advises companies to digitise compliance functions, strengthen vendor management, and document decision-making to help mitigate litigation risk.
Gordon Wade is the DPO and regulatory legal counsel at global online travel platform Hostelworld Group, a role he took up just before the outbreak of COVID-19 in January 2020. Wade has a cross-disciplinary background, from which he has accumulated experience on all aspects of data protection law and the implementation of compliance programmes across a variety of industries, including airlines, banks, telecoms companies and public authorities. He predicts a surge in regulator investigations and legal action against companies over their conduct during the pandemic and emphasises the importance of strong due diligence and documentation to demonstrate the company’s devotion to compliance. “I think those occupying the position of compliance officer or similar may have the most important job titles in 2020, regardless of their sector,” he says.
As DPO at Hostelworld, Wade’s role is to ensure on-going compliance with data protection and cybersecurity laws around the world, reporting directly to the board on the company’s GDPR compliance programme. Meanwhile, as regulatory legal counsel, he leads Hostelworld’s commercial contracts team, which involves negotiating with suppliers, onboarding partner hostels around the globe and drafting terms and conditions for new products or promotions.
Wade started his new role just before the COVID-19 pandemic struck, having never worked for an e-commerce platform before. The key to managing the move to a new role, assuming responsibility for data protection compliance for a company in a new sector while managing a crisis, is “constantly learning from colleagues and augmenting [Hostelworld’s] compliance strategy as I go,” says Wade. During the pandemic, he has focused on communicating with business teams, customers and third parties to ensure compliance and transparency obligations are maintained. Here, he offers his thoughts on how compliance teams should prepare for the coming months.
Long-term digitisation
When taking up his role this year, Wade’s priority was “to ensure our GDPR programme supports progress and innovation, not stifle them.” This vision was put to the test by the short-notice move to remote working when the COVID-19 pandemic struck.
“One of the greatest impacts for me has been the almost overnight overhaul and replacement of the office-based paradigm with the new remote access model and I am sure other organisations would say the same,” he says.
The COVID-19 pandemic required many organisations to quickly shift to remote working environments. Remote working requires a host of tech solutions and tools like video conferencing, email, cloud file storage, file sharing, chat and communication platforms, and remote desktop apps. “Ordinarily, implementing such new tech requires months of planning and preparation but COVID-19 meant companies had just weeks, if not days, to onboard new systems to keep operating,” says Wade, which increases the risk of non-compliance. Hostelworld decided upon using a remote access platform that employees could access through their personal devices at home, an approach which Wade thinks businesses will have to be open to becoming a norm, or even permanent, set-up even after COVID-19. In his own words, he says “distrust of bring your own device practices will need to be ditched and procedures implemented to enable long term (or even permanent) remote access working.”
The move to remote working “has naturally generated numerous data protection and cybersecurity compliance challenges, such as internet bandwidth issues, increased migration of organisation data to personal devices, cyber criminals taking advantage of COVID-19 and greater security exposure due to inexperience with remote working,” Wade says. These challenges are not going to disappear. As employees return to the office environment, there will be new data protection and health and safety compliance challenges around health screening, temperature testing, workplace monitoring and physical distancing to battle COVID-19. In the longer term, personal data-sharing obligations of companies to aid notifications and contact tracing with national health authorities will present further challenges.
Also, COVID-19 has increased the pressure on these rapidly adopted digital platforms, Wade explains, because “it has required many organisations in the IT/e-commerce sector to review or even accelerate their plans to adopt digital technologies” or risk falling behind their competitors. This presents another challenge for compliance professionals, who must ensure cybersecurity is maintained as new waves of innovation come and the denouncing of obsolete tech is accelerated. Cyber insurance is very important going forward as companies find themselves increasingly depending on virtual workspaces, Wade says.
To address the risks associated with digitalising work practices, Wade has found his experience working as a commercial and privacy lawyer at two of the world’s biggest audit firms, KPMG and PwC, “hugely useful” because he had the opportunity to work with many different clients and teams, and was central to the development of legal data privacy service advice lines at KMPG between 2015 and 2019. Wade saw first-hand the value digital platforms and open communication can add to a company in this project, and this has been invaluable when managing the crisis. In his current role at Hostelworld, he works with multiple teams to ensure timely response to data security incidents, saying “I have a great multidisciplinary team around me, from our customer service team who support on access requests, to the IT security guys who are invaluable for any data security incident, and the product and tech team who implement our privacy-by-design and default mission.” His experience developing the advice lines also showed him the value of digitising services and communication lines, which he sees as the future not just for client-facing operations, but also compliance functions.
As a result, he advises compliance teams to begin preparations to digitise their functions. “Speed, flexibility and agility within compliance will come even more to the fore as markets react to the COVID-19 crisis,” he says, noting that moving away from the manual, paper-based processes of traditional compliance systems will aid this. Before COVID-19, even when digital technology was involved, Wade saw it was often restricted to on-site IT infrastructure, which could only be accessed from machines at the office. In a post-COVID-19 world this will not be fit for practice, so instead he recommends “digitising compliance functions (including workflow automation for compliance assessments and surveys) can facilitate the seamless creation, capture, and flow of information.”
Reviews and documenting of conduct
Evidencing the effectiveness of a compliance programme will be crucial in the coming months because regulators are beginning to assume pre-pandemic activities, which will include reviews of conduct during the crisis. “Particularly because of the unforeseeable and unpredictable nature of COVID-19, companies will come under increased scrutiny from regulators, customers and shareholders in how they deal with the crisis,” says Wade, so companies must be able to demonstrate they have ensured the proper creation, implementation, and operation of a robust corporate compliance programme. Failure to do so could leave a company vulnerable to an investigation or even legal action, which Wade predicts will rise as the crisis continues and feels more controlled.
Regulators have balanced being flexible to support companies against preparing for an expected surge in misconduct. For example, in early June the EU set up a new unit of investigators within Europol (namely, the European Financial and Economic Crime Centre) to tackle an expected surge in fraud, corruption and money laundering arising out of the crisis. “This will likely be accompanied by heightened regulatory scrutiny of business operations during COVID-19 in those sectors considered to be at higher risk of criminal infiltration, such as hospitality, travel and tourism,” says Wade.
In the e-commerce sector, he expects business practices relating to consumer cancellations, complaints and refunds to come under the microscope from consumer bodies, particularly in light of the EU Enforcement and Modernisation Directive (aka the Omnibus Directive) having come into force last January. To prepare, compliance teams need to act now, to help their companies avoid fines or investigations, by “devoting enough resources now to investigate customer complaints, including routing complaints to proper personnel, timely completion of thorough investigations and appropriate follow-up.”
Wade advises compliance teams to formally document all investigations, audits, reviews and remediation measures deployed to deal with illegal behaviours, as this can help a company to be viewed favourably by a regulator.
“It is not uncommon for regulators to give “credit” to organisations for voluntary disclosure of misconduct, cooperation in an ongoing investigation or undertaking remedial measures (such as implementing or improving compliance programmes to prevent a recurrence). Processes and procedures to timely detect misconduct and implementing corrective measures to prevent further misconduct put an organisation in a strong position to face any regulatory inquiries and legal actions in the aftermath of the COVID-19 crisis.”
His preferred approach is to conduct a root cause analysis to address and deal with problematic behaviour.
To meet data protection transparency obligations, data controllers should be maintaining open and constant lines of communication with both customers and employees about their data-processing throughout the pandemic and after. “Regulatory actions for failure to comply with the principles of transparency and accountability have already been at the forefront of EU data protection supervisory authorities and it is likely that we will see a wave of complaints and investigations against companies for GDPR compliance failures,” explains Wade. Therefore, records of data-processing activities need to be kept up to date and comprehensive data protection impact assessments conducted where necessary.
While COVID-19 has many firms looking at reductions and cost-cutting measures, Wade notes that legal obligations to maintain an adequate compliance programme remain. As businesses emerge from lockdown and look to find new ways to cope with the aftermath and continued challenges presented by COVID-19, Wade says compliance teams should now look at their company’s programmes to ensure they feature:
- an assessment of material internal and external risks faced by the company (eg, cybersecurity threats caused by an increase in remote work activities);
- strategies to deal with these threats that are applicable throughout its operations (eg, employee training); and
- a focus on maintaining transparent communications with internal and external stakeholders.
Regulators often look at the quality and effectiveness of a compliance programme so one that takes a risk-based approach and gives appropriate attention and resources to high-risk areas may earn a company some credit.
Keep third parties informed
Another area Wade expects an increase in legal actions is from failure to communicate compliance measures to third parties. “During a crisis, regulators and law enforcement often become overextended and understaffed, which raises the risk of (intentional or not) illegal transactions. To guard against this, companies need to have a thorough understanding of the qualifications and associations of their third-party partners, including the agents, consultants and distributors that are commonly used to conceal illegal behaviours,” he says.
The rapid shift to remote working exposed “critical gaps in information security for many organisations across all sectors but also in the tech providers themselves”, and Wade points out that lawsuits have already begun against video conferencing technology platforms for unlawfully sharing users’ personal information with social media sites and failing to provide adequate personal data security. Such are the concerns that many organisations, Hostelworld included, have specifically banned the use of certain platforms because of concerns over data security. Therefore, some key lessons Wade shares from his experiences evaluating and engaging vendors during COVID-19 include:
• conducting reasonably thorough vendor due diligence and risk assessments and asking lots of questions;
• reviewing critical vendor services agreements and data protection notices;
• assessing if any applicable laws, contractual obligations, or internal company policies may impact your engagement of the vendor;
• implementing contracts with appropriate data security, transfer and protection provisions and ensuring these are consistent with your other contractual obligations, internal policies, and applicable laws; and
• formally documenting your contracting process to demonstrate the processes and controls in place.
By being transparent and communicative with all parties, businesses can help ensure every branch of its network is adhering to regulatory obligations. The move to digital will not fade with COVID-19; rather it will endure and provide compliance teams with an efficient, fast way of carrying out their duties. Across the board, documenting the business’s handling of the crisis could be the difference between legal action and a smooth transition into the post-COVID-19 world.
Explore Lexology PRO Compliance
Lexology Pro Compliance, a unique information platform for chief compliance officers, general counsel and their teams. With a focus on anticorruption, antitrust and data protection -three core compliance areas for businesses around the world, Lexology PRO Compliance provides users with analysis, interviews, legal research, know-how materials, global comparative tools and more.
Find out more by clicking here.
